Process

Schedule

The Security Review calendar is currently shared publicly for viewing. Those with higher rights must edit the calendar using zimbra.
The calendar is shared via zimbra sharing and a standard welcome message:

Note: The standard message displays your name, the name of the shared item, permissions
granted to the recipients, and login information, if necessary.

To edit a calendar event

Double click event in Zimbra like you would any other event

if the event asks if you want to edit the instance or the series you will in general only want the single instance

Edit the instance as needed and send then send (not save)

To Add a new event

Create a new event just like you would on your own calendar

Under the "Calendar" pull down select "Security Review"

When done with all the details click send

IRC Channel

Unless otherwise noted on the agenda for a review the IRC channel for reviews shall be #security.

Performing a Security Review

You can find documentation on how security reviews are performed, including the steps we take, and what documentation we expect to produce in the course of the security review at Security Review Processes.

Scheduling a Review

Design Review

All features regardless of size should have a design review. These should occur before any code is landed to Mozilla Central (MC), the goal is to find architectural flaws that may result in serious security issues. When a feature page is created a security contact should be specified for the feature to ensue the smoothest integration for security input and reviews. If you find you are missing such a contact please email secteam at mozilla dot com to have one assigned. The level of work required for design reviews will vary depending on such factors as complexity of the feature, changes to known fragile code, and/or features that alter the security posture of the product or of Mozilla as a whole. Design reviews may be followed up with implementation reviews, fuzz testing, outside code review or other security tasks as deemed necessary to ensure the safety and security of our users.

Implementation Review

Just as it sounds this is a review of a patch and its corresponding implementation prior to that patch landing in a widely use branches (MC, Aurora, Beta, etc). Not all patches will require a security review, however, if a patch is deemed to need a security review and one is not completed that patch may be backed out until such a review is completed. Patch owners will most often be contacted by the security team for such a review, however, we encourage patch authors to be proactive and contact secteam when they are in doubt or feel a security review would be beneficial.